Notorious ransomware gang Conti has apparently taken its infrastructure offline and shut down its operation. Members of the gang, which is currently engaged in a high-profile ransomware campaign against Costa Rica, are thought to be forming alliances with other, smaller groups as a way of rebranding. Increased attention from US law enforcement agencies, which has led to a $15m bounty being posted for any information about the criminals running Conti, is thought to be one of the main drivers behind the move.

Conti has been at war with Costa Rica for four weeks. But now the gang appears to be shutting down. (Photo by Arnoldo Robert/Getty Images)

Conti’s departure marks a “truly historic day in the [cybersecurity] community,” according to researcher at security company AdvIntel, Yelisey Boguslavskiy. The gang has been active since 2020, and has been a thorn in the side of public sector organisations around the world, most notably hitting the Irish healthcare system in 2021, before beginning its sustained barrage of attacks against Costa Rica last month.

https://twitter.com/y_advintel/status/1527360416724094989

Boguslavskiy noted that some of the online infrastructure has remained, such as the older version of its victim blog, but that “the internal panels and hosts are down”.

Why has Conti shut down?

The increased recklessness of Conti’s behaviour tipped off cybersecurity researchers that it could be planning big changes, so today’s news is not a big surprise. Its actions in the Costa Rica attack reflect this, with the gang having upped its ransom demand and threatened to topple the government if it is not appeased.

“Conti is likely to have multiple other ‘side hustles’ in the cybercrime scene, including the Karakurt data extortion group and the new BlackBasta gang,” Louise Ferrett of Searchlight Security told Tech Monitor earlier this month. “The group may be less concerned about ‘burning’ the Conti identity if they already have these alternative revenue streams lined up.”

Last month Conti appeared to pledge its support for Russia’s invasion of Ukraine, before quickly backtracking in the face of criticism from other hackers. But its actions came too late to stop pro-Ukraine hacktivists leak information about the group online.

Today’s news is “an interesting development that was foreshadowed with regards to Conti’s behaviour becoming increasingly reckless – even by ransomware gang standards,” Ferrett says.

She adds: “I’d say the key reasons they would ‘disband’ – though it’s more like a rebrand in actual fact – are an increase in law enforcement attention from the US ($15m reward), as well as the continued PR scandals and OPSEC fails they’ve experienced in the last year or so, including the leaking of their internal training handbook and tools last year, plus the more recent extensive leaks of their internal chats, damaging their reputation in the cybercrime world.”

What next for Conti hackers after group shut down?

AdvIntel has suggested that the operation in Costa Rica was conducted to cloak its transition to multiple, smaller gangs. “The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” the company says. Whether today’s news will impact negotiations with the Costa Rican government, which has so far refused to pay the ransom demanded, remains to be seen.

Both Karakurt and BlackBasta have been highlighted as possible new Conti affiliate gangs, as well as other active groups such as Hive, HelloKitty, BlackCat, Advos Locker, BlackByte and the BazarCall Collective.

Evidence that Conti has been operating through other, smaller gangs first came to light in February, when The San Francisco 49ers America football team was hit with a ransomware attack during Superbowl weekend, thought to have been carried out by the hacking gang BlackByte. However, evidence appears to suggest that BlackByte isn’t a real gang, but “was created for the sole purpose of maximising Conti’s monetary data extortion,” AdvIntel researchers say.

Ferrett says it’s not yet clear which of these groups are true Conti spin-offs. “Most are pretty confident that the Karakurt group is a data-theft subgroup of Conti,” she says. “There was speculation around BlackBasta being the successor to Conti, with good reason, but that’s been disputed by Conti themselves who disparaged BlackBasta as ‘kids’.”

She also believes the gang may reform despite today’s development. “I think it’s possible Conti could create a whole new identity rather than trying to grow any of its suspected subgroups.”

Read more: Vanuatu is showing small nations how to resist big cyberattacks